Open sherlock-admin2 opened 9 months ago
I believe this is a duplicate of another issue.
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because { valid user can avoid liquidation}
Acknowledged this is a very minor risk in the case this prevents a liquidation. However, I think the fix here is to put a try / catch around the reward block and it results in a loss of rewards for the blacklisted account rather than changing the entire UX of the process.
The protocol team fixed this issue in PR/commit https://github.com/notional-finance/contracts-v3/pull/30.
The Lead Senior Watson signed-off on the fix.
xiaoming90
high
Malicious users could block liquidation or perform DOS
Summary
The current implementation uses a "push" approach where reward tokens are sent to the recipient during every update, which introduces additional attack surfaces that the attackers can exploit. An attacker could intentionally affect the outcome of the transfer to gain a certain advantage or carry out certain attack.
The worst-case scenario is that malicious users might exploit this trick to intentionally trigger a revert when someone attempts to liquidate their unhealthy accounts to block the liquidation, leaving the protocol with bad debts and potentially leading to insolvency if it accumulates.
Vulnerability Detail
Per the Audit Scope Documentation provided by the protocol team on the contest page, the reward tokens can be any arbitrary ERC20 tokens
Line 231 of the
_claimRewards
function below might revert due to various issues such as:https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/adapters/SecondaryRewarder.sol#L231
If a revert occurs, the following functions are affected:
Impact
Many of the core functionalities of the protocol will be affected by the revert. Specifically, the
BalancerHandler._finalize
has the most impact as this function is called by almost every critical functionality of the protocol, including deposit, withdrawal, and liquidation.The worst-case scenario is that malicious users might exploit this trick to intentionally trigger a revert when someone attempts to liquidate their unhealthy accounts to block the liquidation, leaving the protocol with bad debts and potentially leading to insolvency if it accumulates.
Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/adapters/SecondaryRewarder.sol#L231
Tool used
Manual Review
Recommendation
The current implementation uses a "push" approach where reward tokens are sent to the recipient during every update, which introduces additional attack surfaces that the attackers can exploit.
Consider adopting a pull method for users to claim their rewards instead so that the transfer of reward tokens is disconnected from the updating of reward balances.